Nod32 update introduces false positives and delete core system files

By +Warwagon
in Back Page News

 Share

Recommended Posts

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

Nod32 Win32/Kryptik.JX false positive

This morning a recent definition update to the popular Nod32 Antivirus introduced a false positive causing the Antivirus to prompt users to remove core system files, or in some cases delete the files automatically. The system files in question are msdtc.exe, winlogon.exe and dllhost.exe. Most are located in the System32 folder while other are in the c:\windows folder. They were being detected as Win32/Kryptik.JX. You may want to check your logs to make sure you are not affected. If those system files have been automatically deleted on your system you can follow the instructions in the link below to resolve the problem. 10 mins after the problem was discovered nod32 released an update to the Antivirus definitions which corrected the issue. If you reboot the system with those files deleted windows may no longer boot until the files in question are restored.

http://kb.eset.com/esetkb/index?page=conte...ctp=LIST_RECENT

Grand Master

Scirwode

Posted
Posted
Oops, lucky I changed to Kaspersky after my Nod license expired. :p

Lucky I changed to NIS2009 after my ESS license expired :p .

Scirwode

Grand Master

tsupersonic

Posted
Posted
stopped using NOD32 in favour of comodo's entirely free package that seems just as light on resources :)
Nod32 is known not just for its light system usage, but its fantastic job in detection rates. I doubt comodo can match nod32 in terms of that.
Grand Master

goretsky Supervisor

Posted
  • Supervisor
Posted

Hello,

There is a message on ESET's web site here with additional information about what happened and how they responded. Interesting reading.

Regards,

Aryeh Goretsky

Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

My questing is why don't these antivirus companies have a machine with a clean install of windows that has the latest updates. Then do a full system scan with the current virus database before you push the update. That would eliminate these bad updates which delete core system files.

Grand Master

Smigit

Posted
Posted

They probably do test them. Whether they can test over a wide enough range of hardware and whether issues like this are necessarily visible immediately are another thing but. Sure those files are pretty obvious, but in the future it could be one that's more obscure that's only needed during a weekly scheduled event or whatever that gets wiped.

Not that it's right of course...but I highly doubt they throw these out without some testing.

Experienced

Fubar

Posted
Posted

just checked all my machines and nothing happened here , not according to the logs on all of them anyway , thanks for the heads up though

just noticed this bit on that link that was posted

The update downloads were stopped within ten minutes of the update release, and the update was reverted to its previous version. Due to this immediate response, less than 5% of our users were affected.

caught pretty much straight away , would explain a lot lol

Proficient

jamesVault

Posted
Posted (edited)

This is another evidence of how an antivirus is often useless and more dangerous than a virus :crazy:

The facts:

- the antivirus programs always introduce a lot of incompatibilities and problems in Windows and slow down your machine

- the antivirus programs cover only a very small % of malware in the wild

- the users have an antivirus installed (kaspersky, avg, nod32, norton, avira, etc), it doesn't matter what they have, but they still continue to get infected by a virus

- the antivirus vendors still continue to release new virus definitions without even testing them on a Windows machine

===> the antivirus marked has completely failed!

Edited by jamesVault
Grand Master

+shift. MVC

Posted
  • MVC
Posted
This is another evidence of how an antivirus is often useless and more dangerous than a virus :crazy:

And what are you implying with that? That we shouldn't use anti-virus 'cause it does more bad than good? :rolleyes:

Grand Master

Smigit

Posted
Posted
- the users have an antivirus installed (kaspersky, avg, nod32, norton, avira, etc), it doesn't matter what they have, but they still continue to get infected by a virus

Sure, just as people wearing seat belts still die in cars and people wearing condoms still parent kids. Antivirus is not and never should be seen as a means of complete protection. Thats not to say they can't help.

- the antivirus vendors still continue to release new virus definitions without even testing them on a Windows machine

How many definitions do anti virus companies release? Thousands? One causes an issue and within 10 minutes of being discovered it has been corrected. I'm sorry but the ratio of definitions that don't screw the machine over to the ones that do is absolutely immense and would probably imply that they do go through some testing.

Again, it certainly is disconcerting this got through but to make blanket statements like Antivirus is useless and that they don't do any testing is pretty ridiculous.

Grand Master

goretsky Supervisor

Posted
  • Supervisor
Posted

Hello,

My understanding is that all anti-virus companies do this, but from the description of the problem, it sounds like they were doing unit testing of virus signature databases and module updates, and both passed separately. It was some sort of interaction between the two that caused a problem. It looks like they learned from it, though: http://www.eset.com/joomla/index.php?optio...39&Itemid=2

Regards,

Aryeh Goretsky

My questing is why don't these antivirus companies have a machine with a clean install of windows that has the latest updates. Then do a full system scan with the current virus database before you push the update. That would eliminate these bad updates which delete core system files.
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Microsoft about to radically change how often your Edge browser updates

      By C:Amie · Posted

      Yay, a forced new tab telling everyone edge just updated with a load of advertising in it twice as often as we currently get it. That'll never be abused. 😏
    • Visual Studio finally gets long-awaited feature that developers will love

      By wrack · Posted

      About bloody time. I have got PRs with hundred of files and the Web UI just struggling to even load the pages.
    • Windows 11 KB5094126 June 2026 Patch Tuesday update now available to download

      By +Eternal Tempest · Posted

      I wonder if it was applying secure boot certificates/dbx files?
    • Microsoft about to radically change how often your Edge browser updates

      By Snake Doc · Posted

      I recently tried edge. It seems a lot better. A lot of the junk in it is gone. It seems less bloated and snappy.
    • Lethal fake phone chargers are still being sold on Amazon and eBay, UK watchdog warns

      By zikalify · Posted

      Lethal fake phone chargers are still being sold on Amazon and eBay, UK watchdog warns by Paul Hill Credit: Pexels The UK consumer rights organization, Which?, is claiming that “potentially lethal knock-off chargers” are still being sold on online marketplaces seven years after it exposed the danger of these chargers. In its latest investigation, it bought 15 USB phone chargers from several online marketplaces and found they were missing key information, meaning they cannot be legally sold in the UK. Which? bought the 15 chargers from seven online marketplaces. These were Amazon (including Amazon Haul), AliExpress, B&Q Marketplace, Debenhams Marketplace, and eBay. It said that the chargers were so badly made that anyone using them was at risk of electric shock. Over half the chargers also posed fire and explosion risks. Of the chargers purchased, one was a fake Apple USB-C 35W power adaptor charger. To confuse buyers, the box was branded with an Apple logo, but testing found it to be a fake. Further testing picked up arcing sounds after 10 seconds of use, where a current jumps between two parts of the electrical circuit, which can cause fires, explosions, or electric shock. The manufacturers of this particular charger also put modeling clay inside it to make it feel more weighty, robust, and genuine. Not all of the chargers were technically faulty; however, some were missing key packaging, markings, and documentation, meaning they can’t be sold in the UK legally. Which? said that it is now campaigning alongside a coalition of safety groups and businesses for new laws that make online marketplaces responsible for ensuring the safety of products that they choose to list on their websites. It also said the government needs to start using powers under the Product Regulation and Metrology Act, which was adopted last July, to impose safety requirements on online marketplaces via secondary legislation, but so far, there have been delays. No matter what country you are in, be sure to properly research what you are buying and only buy authentic chargers to prevent fires. You can read more about Which?’s research here.

  • Recent Achievements

    • Week One Done
      Timaximus earned a badge
      Week One Done
    • One Month Later
      Timaximus earned a badge
      One Month Later
    • Rookie
      FBSPL went up a rank
      Rookie
    • First Post
      davidbazooked earned a badge
      First Post
    • Week One Done
      davidbazooked earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      499
    2. 2
      PsYcHoKiLLa
      174
    3. 3
      +Edouard
      160
    4. 4
      Steven P.
      84
    5. 5
      ATLien_0
      75
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!